Newsletter

05.24.2021 | 6'' read

More mysterious Android, MacOS zero-day attacks

by Ryan Naraine

Security Conversations thanks the following sponsors for supporting the production of our high-signal, low-noise coverage of the cybersecurity industry: Uptycs (SQL-powered security analytics), Eclypsium (firmware security), Symmetry Systems (data visibility and protection), MongoDB (general purpose database platform) and SecurityWeek (enterprise security news and analysis  ]

Was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).


Monday blues. 

I know it’s tough to get excited about another freakin’ virtual event but I wanted to flag this really strong agenda at this week’s Threat Intelligence Summit for your awareness.  I’ll be kicking off the day tomorrow with a fun live fireside chat with Thomas Rid, professor of strategic studies at Johns Hopkins School of Advanced International Studies.

The author of Active Measures: The Secret History of Disinformation and Political Warfare will join me to decipher the threat-intelligence discipline, nation-state connections to ransomware attacks, supply chain security implications, and the nuance of properly describing certain types of security incidents.

On Wednesday, I’ll be moderating a separate discussion with threat-intelligence practitioners on the currency of IOCs and how crowdsourced data can drive threat hunting at scale. Discussion victims include Gusto CISO Fredrick ‘Flee” Lee, Armorblox CTO Rob Fry and Prevailion CTO Nate Warfield.

Separately, there’s a really strong talk by Microsoft’s John Lambert on the evolution of data sharing, an ‘inside story’ presentation from Volexity’s Josh Grunzweig on he Microsoft Exchange hack, and an all-CISO panel on connecting threat intelligence to securing the software supply chain.

Needless to say, I can’t recommend this event enough tomorrow and Wednesday. Even the sponsor sessions look particularly interesting (imagine!).

More mysterious Android/MacOS zero-day attacks

The deluge of zero-day attacks hitting victims across all major computing platforms is more eyebrow-raising everyday. Just this week, Google quietly updated an Android bulletin to add the dreaded “may be under lim ited, targeted exploitation” language but, as is the norm, there are no IOCs or any documentation to help defenders.

Shout-out to Ars Technica scribe Dan Goodin for calling out on the vague, meaningless language that leave defenders more puzzled and protected.  Google’s Shane Huntley not only joined the discussion with an explanation of sorts, but he DM’d me his tweet to make sure I saw that Google was aware of the frustrations.

“We are working to provide more information where possible on what we observe but it is a trade off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can,” Huntley explained.

Several Googlers privately cited the “potential exposure of sources and methods” reality as the main reason for the lack of transparency around IOCs and other useful data.

While I was blinking through scribbling this note, I just noticed that Apple just dropped another batch of MacOS patches with the mysterious “this issue may have been actively exploited” buried in a bulletin.  Nothing more.  Just that an attack happened, and here’s a patch, and good luck.

We’ve somehow normalized this, because big companies like Google and Apple refuse to set a better standard.  And the beat goes on, week after week, month after month.

_ryan


On to the newsletter.

New podcast – Alex Matrosov on the state of security at the firmware layer
​🎧  On the show this week, I sat down with outgoing head of offensive security research at NVIDIA Alex Matrosov to discuss the state of security at the firmware layer, the need for specialized reverse engineering skills, the limits of hardware bug bounty programs and the future of advanced malware analysis.

This is an important conversation. Give it a listen!

 

A sample of upcoming guests.

  • Collin Greene, head of product security, Facebook.
  • Heather Adkins, information security leader, Google
  • Michael Laventure, threat intelligence, detection and response, Netflix
  • Anne Marie Zettlemoyer, vice president, security engineering, Mastercard

Full conversations are available on the SecurityConversations.com home page, and on all major platforms — AppleGoogleSpotify and Amazon.


Uptycs sponsor message: Going on the ATT&CK versus FIN7 and Carbanak ]

The most recent MITRE ATT&CK evaluation round focused on the FIN7 and Carbanak threat groups. In this 40-minute on-demand discussion, I get a first-hand look at how Uptycs platform not only detects the activity of these groups but also provides the context that analysts need to quickly understand how signals are tied together. Catch the discussion here.


Ransomware upends insurance market.

The ransomware epidemic is causing some major hiccups in the cybersecurity insurance market and the U.S. government’s watchdog group is warning that insurers are jacking up premiums and cutting back on coverage in healthcare and education.The U.S. GAO issued a 26-page report (pdf) with a few major warnings:

“Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10–30 percent in late 2020.”

“Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.”

“The continually increasing frequency and severity of cyberattacks, especially ransomware attacks, have led insurers to reduce cyber coverage limits for certain riskier industry … and for public entities and to add specific limits on ransomware coverage.”

DarkReading‘s Rob Lemos has related coverage of global insurer AXA refusing to reimburse French companies for ransomware extortion payments to cybercriminals.  This news comes right after another insurance powerhouse CNA Financial confirmed it shelled out $40 million to purchase decryption keys to help with a ransomware attack.

Meanwhile, when marketing trumps security, we end up with stories like this.  Sigh.

Tangentially.

Have a fantastic week.

_ryan

PS: The podcast is available on all platforms (AppleGoogleSpotify and Amazon).  As the kids say, like and subscribe, like and subscribe.

|

This site uses cookies and may process personal data based on our Privacy Policy